Skip to main content
August 12, 2014

Stop Freaking Out About Facebook Messenger

Facebook recently announced that mobile chat functionality would soon require users to install Facebook Messenger. Fueled by the media, many people have been overreacting about the permissions that Messenger requests before taking time to understand what the true privacy implications were.

In a nutshell, Messenger is hardly an outlier relative to the other social media apps on your phone.

Why the uproar, then? In part, people love to pick on Facebook because of their past privacy UI transgressions. They've deserved much of that. But it's a little crazy that there's such an incendiary reaction to the privacy implications of a mobile app that, permissions-wise, isn't that different from the multitude of social apps people happily download without a second thought.

Still skeptical? We (and by "we" I mean Andrew Reiter) made a list of the Android permissions requested by the latest Facebook Messenger app. Then we checked the remaining 49 of the top 50 social apps in the Google Play store to see how many of those requested the same permissions. To nobody's surprise whatsoever, they are all pretty greedy.

If it's not obvious how to read this chart, here's an example: 67% of the other popular social apps also require the READ_CONTACTS permission. 47% of them require the CAMERA permission. And so on. Again, this shouldn't surprise anybody. Mobile apps need these permissions if you want them to function properly. Messenger is a feature-packed app; some of the others may not be. Asking for all those permissions doesn't necessarily mean the access will be abused. We didn't do the meta-analysis to determine how many of those permissions were requested by first-party code vs. third-party ad libraries. Ad libraries are old news at this point, and it kind of doesn't matter who's asking for permission as long as you're granting it. So stop freaking out... at least until there is something to freak out about.

Chris Eng, Chief Research Officer, is responsible for integrating security expertise into Veracode’s technology. In addition to helping define and prioritize the security feature set of the Veracode service, he consults frequently with customers to discuss and advance their application security initiatives. With over 15 years of experience in application security, Chris brings a wealth of practical expertise to Veracode.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.